Sensitive data often follows former employees out the door

There is an old cliché that says a company's most valuable assets walk out the door at the end of the day. However, according to a recent security report, some other valuable assets are walking out the door as well, and they're not coming back.

In a survey from Osterman Research, 69 percent of organizations polled say that they have suffered significant data or knowledge loss resulting from employees who took information resources with them when they left the business.

Any form of data loss is a threat to a business, but the report notes that problems can arise both from employees actually taking data with them when they leave, and when departing employees have parked corporate information in locations like cloud storage services that are unknown or inaccessible to their former employer.

Worries over data loss arise from employees leaving for a new job or knowing that staff cuts are coming, owing to laws requiring 60 days of notice of an impending layoff. They may not know if they are on the cut list, but they know the layoffs are coming, which could compel some personnel to take company data.

The motivations for taking the data "are all over the map," says Michael Osterman, president of Osterman Research. "Sometimes it's employees who are leaving for a competitor and want some competitive edge with contacts or IP. Some are upset and have a beef with management and want to do a slash and burn on the way out," he says.

"People think this is their data and take it with them from place to place," says Greg Kelley, CTO with Vestige Digital Investigations, which conducts technology forensic investigations. "Quite often it's contact lists, pricing info or marketing materials. They don't think they are being malicious, just that it's theirs and they own it. Whether they know they are in violation of non-compete clause or the law, I can't say."

No malicious intent

Employees often want to take information with them because they believe it will be useful in their new job. A sales person may want to take a list of customers and prospects, for instance. Others might take professional contacts.

"It's stuff you are not necessarily doing maliciously, but want to hit the ground running in the new job, rather than recreating the wheel," Osterman says.

In some cases, even though there was no malicious intent, the company can be hurt. If an employee leaves for a competitor and takes customer lists, that amounts to the transfer of a proprietary asset from one company to another. It takes time, effort and cost to develop lists of customers or prospects, and handing that information over to a rival firm can cause serious harm, especially if high-value trade secrets are in play.

Sometime the data loss is inadvertent. In the BYOD era, people might leave their company without even realizing that they are taking information with them in the form of cloud or mobile apps.

Then there are those who do it maliciously, who might actually want to harm their employer or get a leg up in their new job with a competitor. But Osterman says that this is a relatively small group, amounting to about 5 percent to 10 percent of the total incidents of data loss.

Still another group takes data knowingly, but not thinking they are doing anything wrong. That could include salespeople, for instance, who feel entitled to take the contacts they worked so hard to develop, an asset they might feel that they own.

What to do about data loss

Experts say that the first issue to be settled is who owns the content. That's where employee contracts need to be established up front, so that everyone agrees about who owns Twitter followers, sales lists and other assets, Osterman says.

Next is to implement some sort of monitoring. That may be a behavioral analytics initiative to understand what employees are doing on a regular basis, making it easier to spot aberrant behavior. If there is a massive download from the CRM database at 2 a.m. on a Sunday, something might be off.

The easiest tech solution is to prevent copying data onto USB thumb drives. That was how both Chelsea Manning and Edward Snowden stole military and government information that was later leaked to the media. There is technology to prevent it, or at least to alert management of the copy.

Firms are also advised to get a grip on shadow IT. Krishna Narayanaswamy, chief scientist with the cloud-security firm Netskope, says that a typical firm has more than 1,000 cloud apps running across all categories, but of those, maybe between 5 percent and 10 percent are known by IT. The rest are unknown.

"So it's very easy — and we see this quite often — to download data from a sanctioned app," Narayanaswamy says.

Kelley argues that companies need to get more assertive about preventing data loss, beginning with limiting access to various data assets. Stricter access policies could prevent someone in sales from reaching high-value engineering drawings or formulas that have nothing to do with their job, for example.

Stricter data policies and constant monitoring

With those policies in place, firms must continue to monitor their data. That means being able to answer questions like who is accessing the data, how often, and whether they have a legitimate business reason to do so.

Finally, security experts urge companies to get more aggressive about locking down their PCs. That could mean preventing employees from writing data to USB drives, barring unauthorized cloud apps, and restricting the use of personal email, since it's all too easy to send out a data file as an attachment in Gmail.

"Instead of being Big Brother, you put up walls and shut down avenues that people use to take the info," Kelley says. However, he cautions that one area where that approach could backfire is when firms prevent writing to USB drives. People in sales may put a presentation or samples on a thumb drive, for instance, so write restrictions could be a nuisance for some employees.

Since no enterprise is going to block cloud storage completely, there needs to be better policy enforcement for sanctioned and unsanctioned apps, Narayanaswamy says. Firms can use a cloud access broker to implement a data classification program, segmenting data as important to one group or individual but not others and paving the way for a contextual access policy.

But perhaps the most critical factor relates to data policies and the human element — something that many companies don't handle well, according to Kelley.

"Companies are not good at communication," he says. "It's important to understand that in order to protect their information properly, they need proper written policies in place. Those policies need to be communicated to the employees. They need feedback from employees to find out if they are slowing down business. You're not just going to have just a tech solution."

Narayanaswamy is a bit more cynical about this.

"How many employees really read the policy and are aware of it? Probably not a lot," he says. "Here's where tech can help. If there are apps with sensitive data and you see unusual activity in terms of downloading the data, you can put up warning screens to remind them this is sensitive data and ask why they are doing it."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.